Skip to main content

Linux Kernel EUVDEUVD-2026-33668

| CVE-2026-46243 HIGH
Improper Input Validation (CWE-20)
2026-06-01 Linux GHSA-3mg7-pfmq-9qfv
7.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
CVSS changed
Jun 05, 2026 - 07:22 NVD
7.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Jun 01, 2026 - 19:27 vuln.today
CVSS changed
Jun 01, 2026 - 19:22 NVD
7.8 (HIGH)
Patch available
Jun 01, 2026 - 18:01 EUVD
CVE Published
Jun 01, 2026 - 16:22 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 16:22 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: reject userspace cifs.spnego descriptions

cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.

Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.

AnalysisAI

Local privilege escalation in the Linux kernel's SMB/CIFS client allows unprivileged userspace processes to forge cifs.spnego keys via add_key(2) or request_key(2), supplying attacker-controlled pid, uid, creduid, and upcall_target fields that cifs.upcall trusts as kernel-originated. Successful exploitation enables impersonation of CIFS credential negotiation, leading to high confidentiality, integrity, and availability impact on systems mounting SMB shares. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in fs/smb/client within the kernel's CIFS implementation, specifically in how the in-kernel keyring handles keys of type cifs.spnego. These keys are normally produced by the kernel and consumed by the cifs.upcall userspace helper to negotiate SPNEGO/Kerberos authentication for SMB mounts; the description string carries authority-bearing fields (pid, uid, creduid, upcall_target) that cifs.upcall trusts implicitly. Because the Linux keyrings API (add_key(2)/request_key(2)) lets any user create keys of arbitrary types, a local user could synthesize a cifs.spnego key with forged identity fields, bypassing the assumption that only the CIFS module produces them. The root cause maps to CWE-20 (Improper Input Validation): the kernel failed to verify that cifs.spnego key requests originated from its private spnego_cred context before accepting the description. The fix rejects userspace-originated cifs.spnego descriptions outright.

RemediationAI

Vendor-released patches are available - upgrade to a fixed stable kernel: 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, or 7.1-rc5 or later, sourced from the corresponding commits at https://git.kernel.org/stable/c/ (a3bbda6502a9, 2035acfb1722, 7713bd320ed4, 91f89c1d83e8, 9544559e5943, cf20038657d6, 0aece6685fc8, 3da1fdf4efbc). Distribution users should install the vendor kernel update that backports these commits (track Debian, Ubuntu, RHEL, SUSE, Oracle advisories tied to CVE-2026-46243). If patching must be deferred, the primary compensating control is to unload or blacklist the cifs kernel module (modprobe -r cifs; add 'blacklist cifs' to /etc/modprobe.d/) on hosts that do not require SMB client functionality, which eliminates the vulnerable code path at the cost of breaking any SMB mounts. Where CIFS is required, restrict local shell access on multi-user systems and monitor add_key/request_key syscalls for the cifs.spnego type via auditd as a detective control; note this does not prevent exploitation, only surfaces it.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected

Share

EUVD-2026-33668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy